ICO. 


Information Commissioner's Office 


Meeting Audit Committee | Date 07/12/2015 
Agenda item 6 Time 10 Minutes 
Proactive No Internal Yes 
publication publication 

Title Outstanding audit recommendations 
Presenter Peter Bloomfield 

ICO Plan aim 6. An efficient ICO well prepared for the future 


Information 


10. The public confident in information rights law as 


rights aim necessary, serving the public interest, effective in practice 
and properly enforced. 

Issue The register of outstanding audit actions (internal and 
external) is presented for information and discussion. 
Recommendations from the two internal audit reports 
coming to this meeting are included. 

Decision There are no decisions. 

Engagement None 

treatment 


Financial impact 


Not relevant. 


Risks 


Not relevant. 


ico. 


Information Commissioner's Office 


Audit recommendations follow up 2015/16 
This paper lists outstanding audit recommendations (internal and external) and reports on current status. 


Please note that internal audit actions which are reported as closed will be moved to part 2 of the register after the Audit 
Committee meeting to allow a better focus on those which remain outstanding. 


Where new dates have been agreed by the Committee these are shown in the “forecast due date” column. Actions are 
subsequently treated as being on track until and if these new dates are missed. 


Audit recommendations that have been actioned before the audit reports came to Audit Committee are not included as the 
committee will have had visibility of the recommendation and its clearance at the meeting. 


Part 1 - Internal audit recommendations 
Part 2 - Cleared internal audit recommendations 


Part 3 - External audit recommendations 


Performance in clearing internal audit recommendations 


Actions Actions Total High risk actions Medium risk 
added cleared outstanding outstanding actions 
since last since last A 
meeting meeting outstanding 


On Late On Late On Late 
track track track 


07/09/15 


07/12/15 


Low risk 
actions 
outstanding 


On 
track 


Late 


Part 1 


Internal audit recommendations 


Recommendation 


Response 


The ICO should review its 
Information Rights Strategy 
to confirm that the ten 
strategic outcomes remain 
relevant and aligned to the 
environment within which 
the ICO operates in 2015 
and beyond. 


The Information Rights 
Strategy has not been 
reviewed since 2011 and 
whilst it is not substantially 
out of date it ought to be 
reviewed. 


However the ICO will have a 
new Commissioner by the 
summer 2016 and a new 
Deputy Commissioner 
sometime afterwards and 
(importantly) should by then 
know more about the impact 
of the new EU data 
protection regulation. 


These factors mean that the 
strategy will not be reviewed 
until late 2016 at the 
earliest. 


Audit Year | No | Title Risk | Owner 
level 

Corporate 14-15 4 Strategic Deputy 

and outcomes Comm- 

financial issioner DP 

planning 

Staff 15/16 1 Recruitment Head of 

recruit- strategy OD 

ment 


To build on the objectives 
set out in the recruitment 
and selection policy and 
procedures, Organisational 
Development should develop 
a recruitment strategy. 


The ICO will develop a 
people strategy setting out 
the approach to managing, 
developing and supporting 
the ICO’s people. One 
strand will be the 
development of a 
recruitment and selection 
strategy to elaborate on the 
recruitment and selection 
policy and setting out known 
recruitment plans for the 
coming 12-18 months. 


Original 
due 
date 


Fore- Date 
cast cleared 
due 

date 

31/12/15 


Part 1 


Internal audit recommendations 


Audit Year | No | Title 
Staff 15/16 2 Reviewing 
recruit- and 
ment authorising 
vacancies 
Staff 15/16 3 Screening 
recruit- and pre- 
ment shortlisting 


Risk 
level 


Owner Recommendation Response Original 
due 
date 
Head of When evaluating Staff requisition forms to be 
OD replacement posts the Head updated to require 
of Department should Departmental Heads to 
submit a business case elaborate on the need for a 
detailing the need for the post and confirm if 
post as part of the sign off alternative options were 
of the recruitment request considered. 
by the Head of OD. 
A new procedure for the 

When submitting posts for creation and implementation 
evaluation a min, max and of new posts to be 
average wage cost and all developed which includes 
other supporting costs the job grading process. 
should be provided to ET to This will require the cost 
enable them to make a fully | information. 
informed decision as to the 
maximum cost of the role. 

Head of To reduce the number of Work with managers to 

OD candidates at shortlisting, develop a process to screen 


OD should implement a 
screening step into the 
recruitment process. 


And to improve the 
efficiency of the shortlisting 
policy, it should be 
reviewed. PDF documents 
should be used to remove 
candidates’ personal 
information from experience 
statements and CV details, 
and electronic storage and 
collation should be used 
instead of physical copies 
being printed for each panel 
member. 


out obviously unsuitable 
applications before 
submitting them to 
shortlisting managers - 
where high numbers of 
applications are received. 


Recruitment and selection 
procedures to be amend 
accordingly. 


Fore- 
cast 
due 
date 


Date 
cleared 


Part 1 


Internal audit recommendations 


Audit Year | No | Title Risk 
level 
Staff 15/16 4 Managing 
recruit- reference 
ment and pre- 
employment 
checks 
Staff 15/16 5 Interview 
recruit- training and 
ment guidance 
Staff 15/16 6 Improv- 
recruit- ement 
ment 


Owner Recommendation Response 
Head of To provide assurance that The team will be reminded 
OD each recruitment is to complete all aspects of 
proceeding in a timely the spreadsheet and 
manner and all management to complete 
documentation has been periodic audits to ensure the 
requested (or received) the spreadsheet is completed. 
team should complete each 
section of the “right to work” 
spreadsheet once the 
relevant step has been 
concluded. 
Head of One to one recruitment and One to one briefing sessions 
OD selection training should to include competency 
include a specific section on based interviews and 
competency based guidance on assessing the 
interviewing covering how quality of responses. 
candidate answers should be 
assessed and how scoring 
may be effectively 
supported by evidence 
should a review of interview 
notes or the selection 
process be required. 
Head of To provide additional rigour One to one briefing sessions 
OD to the recruitment training will give managers the 


as part of each one to one 
training session each trainee 
should be formally assessed 
by the training provider to 
confirm that they have 
reached an acceptable 
standard. 


opportunity to undertake a 
practice interview with the 
training provider or another 
individual. 


Fore- Date 
cast cleared 
due 

date 


Part 1 


Internal audit recommendations 


Audit Year | No | Title 

Staff 15/16 7 Refresher 
recruit- training 
ment 

Staff 15/16 8 Management 
recruit- information 
ment 

Staff 15/16 9 Monitoring 
recruit- recruitment 
ment and 


retention 
lessons 
learnt 


level 


Owner Recommendation Response 
Head of OD should review the policy | Mandatory refresher training 
OD for recruitment and training for all those involved in 
selection with L and D and recruitment is unlikely to be 
develop mandatory a proportionate response. 
refresher training for all HR team members involved 
relevant staff. in recruitment panels can 
remind panel members of 
their obligations, processes 
and legal issues. 
But places on recruitment 
training sessions will be 
available to experienced 
recruiters and managers to 
be updated on changes to 
law affecting recruitment. 
Head of A recruitment and selection Information will be collated 
OD dashboard should be quarterly for Management 
developed for reporting to Board and Leadership 
Leadership Group and Group. 
Management Board. 
[For January MB] 
Head of As part of monitoring Feedback to be obtained 
OD retention rates OD should from recruiting managers 


review each person leaving 
who completes less than one 
year of service. This review 
should make reference to 
the recruitment and 
selection process that 
resulted in their 
appointment including an 
objective assessment of 
individual recruiting 
managers to identify any 
additional training needed. 


and the team managers to 
gauge the effectiveness of 
those recruited. 


Report back to recruiting 
panels for consideration in 
future exercises. 


[To use recent large scale 
recruitment of case 
officers as the basis for 
this work] 


Original 
due 
date 


Fore- 
cast 
due 
date 


25/01/16 


Date 
cleared 


31/03/16 


Part 1 


Internal audit recommendations 


Recommendation 


Response Original 
due 


date 


The team should develop a 
customer satisfaction survey 
that seeks applicant 
feedback on timeliness, the 
effectiveness of the 
communications process and 
the interview process. 


On completion of a 
recruitment cycle this 
survey should be sent to the 
successful (and if 
appropriate unsuccessful) 
candidates who attended 
interviews. 


Results should be 
incorporated into the 
recruitment dashboard. 


We will explore this 
suggestion as part of our 
review of the recruitment 
process as a whole. 


Audit Year | No | Title Risk | Owner 
level 

Staff 15/16 10 Recruitment Head of 

recruit- satisfaction OD 

ment surveys 

Finance 15/16 1 Project Head of 

System governance Customer 

benefits and 

realisation Business 
Services 


The ICO should translate all 
benefits set out in project 
initiation documents into 
specific delivery 
requirements that should 
then be formally tracked by 
the project board. Any 
benefits or requirements 
that are not to be delivered 
should be removed in a 
controlled manner with the 
agreement from the Project 
Board and project sponsor. 


In addition, project closure 
documentation should 
clearly indicate the delivery 


Our project management 
methodology (PM) requires 
the development of a 
Product Backlog to both 
articulate and track all 
project requirements and 
deliverables. Our PM 
methodology does not refer 
to a PID by name, but we 
agree the requirements that 
need to be tracked and are 
satisfied that we have the 
mechanisms in place (in the 
form of our Product Backlog 
and associated processes) to 
do that. 


Fore- 
cast 
due 
date 


Date 
cleared 


Part 1 


Internal audit recommendations 


Audit Year | No | Title 
Finance 15/16 2 Lessons 
System learnt 
benefits 

realisation 


Owner Recommendation Response Original | Fore- Date 
due cast cleared 
date due 

date 
status of each requirement It is recognised however 
or benefit set out in the that this was not done in 
original project brief or this case. The 
initiation document. If recommendation is therefore 
removed, the reason for agreed and no further action 
removal/de-scoping and is required. 
formal agreement should be 
documented. 

Head of In addition to project We are satisfied that the 

Customer management factors and positive outcomes from the 

and technical requirements, finance project were 

Business future project closure understood by those 

Services reviews should also take involved and shared with all 


into account how effective 
the project has been from 
an end user perspective and 
if the project delivered to 
time and cost. 


The ICO should also develop 
and integrate into the 
project management 
methodology a process for 
the communication of good 
practice, developing 
methodologies and lessons 
learned across individuals 
and teams involved in 
project delivery. 


stakeholders and interested 
parties. We have however 
reviewed our lessons leant 
process to ensure things are 
recorded more clearly. 


Part 1 


Internal audit recommendations 


Audit Year |No | Title 
Staff 15/16 1 Scope and 
perfor- responsabil- 
mance ity of the 
manage- moderation 
ment panel 

Staff 15/16 2 PDR 
perfor- guidance 
mance and 
manage- manage- 
ment ment 


development 


Risk 
level 


Owner 


Recommendation 


Response 


Head of 
Organis- 
ational 
Develop- 
ment 


ICO should review the scope 
of the Moderation Panel and 
the continued need for it to 
meet formally at year end. 
Then if ICO still considers 
the Panel adds value, the 
Panel name and Terms of 
Reference should be 
updated to reflect its new 
role and responsibilities. 


The role of the Panel will be 
reviewed and updated in the 
next iteration of the PDR 
guidance. 


Options include scrapping 
the panel as a “Not 
Effective” rating can only be 
awarded following formal 
performance management 
processes. 


Head of 
Organis- 
ational 
Develop- 
ment 


Taking into account the 
changes in the performance 
appraisal and development 
process, L&D should review 
and develop the guidance 
and support available for 
both staff and managers to 
include such areas as 
managing and developing 
poor performance and the 
coaching and development 
of staff and maximising 
potential. 


To sit alongside the PDR 
process, L&D should also 
complete the development 
of the informal reward and 
recognition policy and 
procedure. This policy 
should then be presented to 
the Senior Leadership Team 
for agreement and release. 


Managing Poor Performance 
processes to be reviewed as 
part of update of Resolution 
Policies. 


A brief guide for managers 
on “recognising great 
performance” was published 
November 2015. 


Access to coaching and 
mentoring is available to 
managers via L&D, and is 
being accessed. This can be 
emphasised via the manager 
peer network which has 
been established and is 
facilitated by L&D. 


Managing Poor Performance 
training and guidance is part 
of the suite of training 
available for managers. 


Original 
due 
date 


Fore- 
cast 
due 
date 


Date 
cleared 


Part 1 


Internal audit recommendations 


Recommendation 


Response Original 
due 


date 


Audit Year | No | Title Risk | Owner 
level 

Staff 15/16 3 PDR records Head of 

perfor- and data Organis- 

mance ational 

manage- Develop- 

ment ment 


To provide assurance on the 
effective operation of the 
PDR process, the Learning 
and Development team 
should maintain central 
control of PDR records. This 
should include: 

e Registration (date) of in 
year meetings and 
assessment markings; 

e Registration (date) and 
formal assessment 
marking at end of year; 

e Agreed completed PDR 
assessment form. 


To facilitate the process, 
L&D should also send 
reminders to staff and line 
managers at key points in 
the appraisal process to 
remind them of their 
responsibilities. 


PDR system only requires 
end of year markings to be 
recorded. 


Minfo functionality to be 
switched on to allow 
managers to update PDR 
records, including dates, 
assessment markings and 
automated reports created 
for staff and line managers. 


Until Minfo functionality is 
switched on, reminders to 
be provided to managers to 
ensure PDR records are 
submitted at year end. 


Fore- 
cast 
due 
date 


Date 
cleared 


Part 1 


Internal audit recommendations 


Audit Year | No | Title Risk 
level 

Staff 15/16 4 Objective 

perfor- setting 

mance 

manage- 

ment 


Owner Recommendation Response 

Head of At the start of each It is impractical to have a 
Organis- reporting year Business Unit | single set of SMART 

ational Managers should develop a objectives for the business 
Develop- standard SMART set of aims, | units to use. It is also 

ment objectives and measures for | impractical to require L&D to 


staff in their Units that 
directly support the unit's 
aims (and therefore 
ultimately the ICO strategy). 
Prior to these being rolled 
out to staff, these aims and 
objectives should be 
reviewed by L&D to provide 
assurance that in addition to 
the strategic fit, they are 
also consistent across the 
department. 


sign these off before roll 
out. 


Heads of department will be 
reminded of need for their 
managers to create 
objectives that relate to the 
business plan and seek 
support from L&D if they 
assistance with making 
them SMART. 


Original 
due 
date 


Fore- 
cast 
due 
date 


Date 
cleared 


Part 1 


Internal audit recommendations 


Audit Year |No | Title 

Staff 15/16 5 Management 
perfor- information 
mance and 

manage- reporting 
ment 


Risk 
level 


Owner Recommendation Response Original 
due 
date 

Head of As part of the control of PDR | As part of the transition to 

Organis- records, HR should collate Minfo based PDRs, we will 

ational and report management ask the database suppliers 

Develop- information on: to create auto reports 

ment e Total no. of PDRs providing this information to 


completed at the end of 
the reporting year and 
their final mark; 

e Total no. of completed 
PDRs sent to HR for 
retention centrally; 

e =Total no. of in year 
reviews completed and 
their marking; 

e Total no. of informal 
performance plans in 
operation; 

e No. of staff moving 
from an informal 'not 
effective’, to 'effective' 
during the year (and 
vice versa); 

e Total no. of staff 
currently on formal 
performance 
improvement 
measures; 

e Overall performance 
statistics (what 
percentage of staff fall 
into each performance 
category) together with 
a comparison against 
expected target 
percentages for each 
category. 


heads of departments and 
HR. 

We do not wish to impose 
forced distribution or targets 
for each performance 
category. 


Fore- 
cast 
due 
date 


Date 
cleared 


10 


Part 1 
Internal audit recommendations 


Audit Year | No | Title Risk | Owner Recommendation Response Original | Fore- Date 
level due cast cleared 

date due 

date 


This information should be 
presented to the Senior 
Leadership Team on a 
quarterly basis so trends in 
performance (and assurance 
over PDR completion) can 
be ascertained. 


11 


Part 3 


External audit recommendations 13/14 


Title Area Recommendation Management Status Notes 
Response and date 
cleared 
2014/15 
Management Expenditure Consider whether additional Following implementation of Original clearance date 
Accounts information on spending the new system, a formal 31/07/15. 


controls should be given to 
allow monitoring of spend 
against control totals. 


month end process will be 
implemented which will 
involve variance analysis 
directly from each budget 
holder. 


Phase 2 of the new system 
will be the purchase 
requisition system which only 
allows appropriate sign off 
levels and alerts if a budget 
is over (or close to) budget. 
Work will commence in June/ 
July 2015. 


A new month end process 
had already been 
implemented, including 
variance analysis. 
Spending controls 
information is included in 
monthly management 
accounts. 


The final element, the 
new purchase requisition 
system, was rolled out 
beginning of November. 


Part 3 


External audit recommendations 13/14 


Title Area Recommendation Management Status Notes 
Response and date 
cleared 
2015/16 
Contracts of Payroll The ICO should ensure that Up to date contracts are now Cleared by date of June 


employment 


expenditure 


contracts of employment are 
up to date for all employees. 


in place. 


Framework 
agreement 


Expenditure 


The ICO should ensure that 
the Framework agreement is 
updated as soon as possible. 


The current framework 
agreement with the Ministry 
of Justice will be updated 
once the triennial review 
report is finalised. Any 
change will reflect the broad 
nature of the revised 
apportionment model. 


Non-current 
assets 


The asset registers should be 
reviewed to ensure that all 
assets recorded exist and are 
still owned by the ICO and 
also are currently in use. 


This is agreed and the work 
is scheduled to be completed 
later in the financial year, in 
time for the end of year 
audit. 


Audit Committee, 
08/06/15. 


[Redacted] 


In discussion with DCMS 
on 10 November it was 
agreed to amend the 
framework document as 
soon as possible after the 
spending review 
announcement on 25 
November - as it would 
then be possible to 
include any new 
governmnet spending 
restrictions as well as any 
existing or new DCMS 
spending or delegation 
restrictions. 


Realistically this means 
that the framework 
document might not be 
agreed till nearer to the 
end of the financial year. 


Expected clearance date 
now 31/03/16. 


Part 3 


External audit recommendations 13/14 


Title Area Recommendation Management Status Notes 
Response and date 
cleared 


When items are purchased 
they should be recorded 
individually on the asset 
registers in order to aid 
identification (some items are 
currently entered as one 
lump sum). 


=e External audit recommendations 13/14 


